Nasscom to make India ‘Fort Knox’ of IT sector

[ How this can be done by NASSCOM when NASSCOM is MAJORITY partner in NISG ?}

http://www.mumbaimirror.com/nmirror/mmpaper.asp?sectid=13&articleid=71420062247148437142006224520437

Aims to get 70 pc workforce listed in a centralised database; in touch with engg colleges for the same

Sanjiv Kumar

New Delhi: The National Association of Software and Service Companies (Nasscom) is bullish on its National Skills Registry (NSR) initiative and is targeting 25 IT majors for this drive in the next two months. The aim is to improve recruitment in the IT-ITeS sector which is suffering from ever-increasing incidents of frauds and fake CVs.

Since its launch in January, about 18 IT firms – including Mphasis, TCS, Genpact, NIIT, Cognizant and ICICI OneSource – have already come forward to join the NSR. “The target for the next two-three months is to get all the top 25 companies, which account for 70 per cent of the workforce within the IT-ITeS sector, to enrol for the NSR,” Nasscom President Kiran Karnik told Mumbai Mirror.

What is the NSR?

The NSR is an initiative undertaken by the apex industry body to create, operate and maintain a national database of employees working in the IT-BPO industry in India.

It contains third-party verified personnel, their qualifications and basic career information of IT professionals.

According to Karnik, the inclusion of big IT-BPO players in the NSR, which is an employee-friendly measure to minimise any misuse of employee identity, will inspire small firms to join the novel league.

“We aim to make India the Fort Knox of security, positioning ourselves as the ‘gold’ standard for security as we already are in quality,” he added.

It won’t be easy!

In an industry that employs over 4,00,000 persons and sees a churn of nearly 4,000 agents every week, maintaining and updating a database like the NSR is an uphill task, according to some industry experts.

Admitting that the NSR will take some more time to be operational, Karnik still felt that the NSR was the need of the hour to ensure smooth development of the domestic IT industry which could be threatened by the slightest problem with physical security and governance.

After all, these issues, if not properly handled, could derail growth and hopes of the IT industry. According to a joint Nasscom-McKinsey study, the IT-BPO exports are expected to reach $60 billion in 2010, from just over $17 billion last year.

Engineering students welcome too

Besides IT and BPO firms, Nasscom is also in touch with engineering graduates to sign up for the NSR. “Letters have already been sent by Nasscom to heads of institutions like IITs, NITs and several private engineering colleges with NSR details and an outline of the advantages it offers,” Karnik stated. Nasscom has also urged these institutions to share the information among the Final Year students.

The association plans to hold roadshows in major cities on the issue. Such shows have already been held in metros.

NASSCOM has not responded to any of the correcpondences.

Mr. R. Chandrashekar has not given proper answers to formation of NISG.

Mr. J. Sathyanarayana, CEO of NISG has not responded to any of the letters.

Mr. R. Chandrshekar and Mr. J. Sathyanarayana have gone to the extent of providing CONFIDENTIAL INFORMATION to another IAS Officer whp works in WORLD BANK to RESPOND to an article in DATAQUEST and CIOL.

UNDP has not responded to the queries of Citizens of INDIA.

UNDP in INDIA has not responded either with their answers to the letters.

How can NASSCOM be a partner in NISG ? being an ASSOCIATION in INDIA ?

1. October 2000

Information Technology Act 2000 was passed. Use of 128 Bit SSL & Digital

Certificate made mandatory for e-commerce activities. As per IT ACT 2000 for

any electronic document to be legally valid, it should be digitally signed by

Digital Certificate issued by any Licensed Certifying Agency (CA) approve by

Controller of Certifying Agency (CCA).

2. September 2001

Government of Andhra Pradesh (GoAP) Core implementation committee was

formed to implement eProcurement and PWC (Price water house coopers was

appointed as consultant). They were paid Rs. 1.75 Cr for 5 projects, approx Rs. 35

Lakh/Project as consultancy fee. Ref. pwc hired as consultant.pdf.

3. Feb 2002

CCA granted license to Safescrypt on 5th February, 2002, India’s first CA. SAFESCRYPT Ltd, a Satyam Infoway company affiliated with VeriSign Inc,

7. In June 2002,

www.eprocurement.gov.in launched without compliance to IT ACT 2000, Digital

Certificate, PKI. GoAP gives lame excuse that since Digital Certificates are not

www.eprocurement.gov.in domain? WHY?

1.) .gov.in domain belongs to only government organizations, how come the same

Nasdaq-listed CommerceOne. The Government of Andhra Pradesh and Principal

service provider and Government of AP) and eProcurement services was

continued to be used in ASP model

  - GoAP pays nothing – i.e. Rs. 4,500/Tender waived off

- For Tender>50 Cr – each participating bidder pays 0.04% of Tender value or

  Digital certificates made mandatory from April 2005. Digital certificate are used

  Tendercity demonstrate to IT Secretary Shri Narsing Roa, the loopholes and

  Tendercity demonstrates to Principle Secretary & MD APTS the security

  GoAP accepts vide their email dated 5th December, 2005 that

  1.) www.eprocurement.gov.in is property of GoAP

3.) GoAP accepts that till December 2005, price bid submitted by 10,000 of

  To cover things up, IT Secretary gives a clean chit to Service provider – C1 India

Dear Mr. Kumaraswamy,

Please find below one more affair of C1 India management affair, Karnataka has come up with a Tender for eProcurement on PPP model as of Andhra Pradesh, Please look in to the matter if Good Business Practices can be ensured:

 An Unbelievable Act of World Bank

Dear Mr. Bhavnani,

Saturday morning i had a bitter taste of my coffee sip while reading a news of World Bank as linked below

http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTINFORMATIONANDCOMMUNICATIONANDTECHNOLOGIES/EXTEGOVERNMENT/0,,contentMDK:20870206~menuPK:702592~pagePK:148956~piPK:216618~theSitePK:702586,00.html

Before patronizing/glamourizing a SCAM you would have done some Homework on your own or through your investigating agencies. Should we believe that World Bank has lost the basic motive of the Millenium Development Goal or eGovernance at large?

I had earlier informed the person incharge in World Bank Mr. Knut Leipold about the facts of eProcurement being practiced in Andhra Pradesh, long back and had requested him to assign suitable time for a demonstration about what other good inititaives had been taken in India, The Best Practice Real eProcurement in India, but since then I’m waiting for his confirmation.

You are requested to read the following link to understand the other side, story of SCAM in the name of eProcurement in Andhra Pradesh, India -

http://www.mpez.net//eprocurement-scam/default.asp

The above mentioned story tells the real truth of a big scam in the name of eGovernance (eProcurement) in Andhra Pradesh.

The representation had been lodged to all the concerned officials in Andhra Pradesh and GoI, but nothing has happened till now and as a sheer surprise World Bank is validating a SCAM and glorifying it to the World for practicing something opposite to the motive of World Bank Belief. Had it been posted under “eProcurement Scam” on World Bank’s website?

While pursuing it with the GoAP and GoI officials we concluded that they might have been working Hands in Glove with this SCAM but to our Ultimate surprise WORLD BANK could not even distnaced themselves of the similar apprehension.

Investigate the Corruption and inappropriate eProcurement charges got established while exchanging communication with the GoAP and APTS the implementing agency (Detailed in the Scam link above).

Why it had violated the IT Act 2000 till 2005? Does World Bank appreciate violation of Local Government Laws?

You mention in the case study of such report that “Encryption of data is happening on Server” what happens when it arrives on the server? did it not arrive in clear text on server? did the system administrator do not have access to these data?

a lot other you will find when reading the represented “eProcurement SCAM in Andhra Pradesh” Link.

With a sheer Shame and Great Disappointment “I WAS WORRIED TILL NOW FOR INDIA, NOW I AM WORRIED FOR THE ENTIRE WORLD” 

Had I skipped this News?…………

For Global Citizen’s shake investigate it properly and request GoI for penalizing all the guilty and culprits of this nature of affair.

As a request to Mr. Knut Leipold – I’m still waiting to demonstrate the real eProcurement system in practice (Working in FOSS environment) for which MDBs had drafted a guideline. Please assign us your valuable time.

Thanks & Regards

Dr. Manoj Verma

+ 919376128329

On June 21, 2004, I made a request for information to the Communications Office of the United Nations Development Programme (UNDP) under the UNDP Information Disclosure Policy. On August 25, 2004, I made a request for review of the refusal to provide information to the Oversight Panel established under the Policy. The Oversight Panel has not yet made a decision.

http://foi.wikispaces.com/UNDP

http://foi.wikispaces.com/space/showimage/Roberts_UNDP_Aug25_04.pdf

Letters from civil society organizations asking the UNDP to complete its processing of the request:

http://foi.wikispaces.com/space/showimage/A19_UNDP.pdf

http://foi.wikispaces.com/space/showimage/A19_UNDP_Response.pdf

http://foi.wikispaces.com/space/showimage/BIC_UNDP.pdf

http://foi.wikispaces.com/space/showimage/BIC_UNDP_Response.pdf

http://foi.wikispaces.com/space/showimage/CHRI_UNDP.pdf

UNDP statement on the right to information

The UNDP made a statement about the importance of the right to information in an April 2006 report. It said: “UNDP can play an important role in promoting right to information in a number of ways including levering its relationships with host governments; acting as a catalyst for change by supporting different right to information initiatives; identifying opportunities for constructive intervention in the debates and discussions that are likely to be taking place; using its own global expertise and experience of working on democratic governance issues; and meeting the commitments set out in its own Information and Disclosure Policy (IDP).”

manoj verma <drmkv@yahoo.co.in> wrote:

Dear All,

I had sent the below mentioned mail to the concerned officials of World Bank last week which got bounced (This is one more IRONY of the World Bank’s eGovernance Management), I resent it from another mail_id which has yet not reported to be bounced back but i have yet not received any acknowledgement till this time. These acts compell us to believe World Bank’s functioning like a Taluka affair where you are on mercey of the officers if they wish to acknowledge you or favor you by responding.

The posting was as below:

————————————————————-

Dear Mr. Bhavnani,

Saturday morning i had a bitter taste of my coffee sip while reading a news of World Bank as linked below

http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTINFORMATIONANDCOMMUNICATIONANDTECHNOLOGIES/EXTEGOVERNMENT/0,,contentMDK:20870206~menuPK:702592~pagePK:148956~piPK:216618~theSitePK:702586,00.html

Before patronizing/glamourizing a SCAM you would have done some Homework on your own or through your investigating agencies. Should we believe that World Bank has lost the basic motive of the Millenium Development Goal or eGovernance at large?

I had earlier informed the person incharge in World Bank Mr. Knut Leipold about the facts of eProcurement being practiced in Andhra Pradesh, long back and had requested him to assign suitable time for a demonstration about what other good inititaives had been taken in India, The Best Practice Real eProcurement in India, but since then I’m waiting for his confirmation.

You are requested to read the following link to understand the other side, story of SCAM in the name of eProcurement in Andhra Pradesh, India -

http://www.mpez.net//eprocurement-scam/default.asp

The above mentioned story tells the real truth of a big scam in the name of eGovernance (eProcurement) in Andhra Pradesh.

The representation had been lodged to all the concerned officials in Andhra Pradesh and GoI, but nothing has happened till now and as a sheer surprise World Bank is validating a SCAM and glorifying it to the World for practicing something opposite to the motive of World Bank Belief. Had it been posted under “eProcurement Scam” on World Bank’s website?

While pursuing it with the GoAP and GoI officials we concluded that they might have been working Hands in Glove with this SCAM but to our Ultimate surprise WORLD BANK could not even distnaced themselves of the similar apprehension.

Investigate the Corruption and inappropriate eProcurement charges got established while exchanging communication with the GoAP and APTS the implementing agency (Detailed in the Scam link above).

Why it had violated the IT Act 2000 till 2005? Does World Bank appreciate violation of Local Government Laws?

You mention in the case study of such report that “Encryption of data is happening on Server” what happens when it arrives on the server? did it not arrive in clear text on server? did the system administrator do not have access to these data?

a lot other you will find when reading the represented “eProcurement SCAM in Andhra Pradesh” Link.

With a sheer Shame and Great Disappointment “I WAS WORRIED TILL NOW FOR INDIA, NOW I AM WORRIED FOR THE ENTIRE WORLD” 

Had I skipped this News?…………

For Global Citizen’s shake investigate it properly and request GoI for penalizing all the guilty and culprits of this nature of affair.

As a request to Mr. Knut Leipold – I’m still waiting to demonstrate the real eProcurement system in practice (Working in FOSS environment) for which MDBs had drafted a guideline. Please assign us your valuable time.

Thanks & Regards

Dr. Manoj Verma

+ 919376128329

To: eGovINDIA@yahoogroups.com,  umashankarc@yahoo.com, vmkannada@gamail.com
CC: kemal.dervis@undp.org, egovindia@yahoogroups.com, presidentofindia@rb.nic.in, dch@yojana.nic.in, mos@mit.gov.in, pmosb@pmo.nic.in, 10janpath@vsnl.net, soniagandhi@sansad.nic.in, nkchoudhary@sansad.nic.in, psgadhavi@sansad.nic.in, nivedita@sansad.nic.in, ddgasab@cag.delhi.nic.in, ssadel@cbi.nic.in, adco@cbi.nic.in, cvc@nic.in, mocit@mit.gov.in, secyegov-dpar@karnataka.gov.in, cs@karnataka.gov.in, cm@karnataka.gov.in, “‘Cc:’” <secy_it&c@ap.gov.in>, cmap@ap.nic.in, drysr@ap.gov.in, ksdir@hub.nic.in, moni@hub.nic.in, secretary@mit.gov.in, jsegov@mit.gov.in, ceo@nisg.org, vs@nisg.org, maxine.olson@undp.org, zephirin.diabre@undp.org, hafiz.pasha@undp.org, jan.mattsson@undp.org, david.lockwood@undp.org, terence.d.jones@undp.org, darshak.shah@undp.org, mari.matsumoto@undp.org, vmkumaraswamy@yahoo.com,  egovindia@yahoo.com, kkarnik@nasscom.org, saravade@gmail.com, mumbai@nasscom.org, mail@dqindia.com
Subject: FW: eProcuremnet scam – why my integrity,credibility, capability is being questioned
Date: Wed, 30 Nov 2005 10:28:16 +0530
_____________________________

From: Ramesh Sinha [mailto:rsinha@tendercity.com]
Sent: Wednesday, November 30, 2005 10:26 AM
To: ‘addlsecy_agr@ap.gov.in’; ‘addlsecy_efst@ap.gov.in’; ‘addlsecy_hsng@ap.gov.in’; ‘addlsecy_ict@ap.gov.in’; ‘advgovt_fin@ap.gov.in’; ‘advisor_it@ap.gov.in’; ‘apstocm@ap.gov.in’; ‘asstsecy_letf@ap.gov.in’; ‘bethapudi@yahoo.com’; ‘binoy@ap.gov.in’; ‘cpro_cm@ap.gov.in’; ‘cs@ap.gov.in’; ‘cvsksarma@ap.gov.in’; ‘dfa_pmu@yahoo.com’; ‘drpsubrahmanyam@ap.gov.in’; ‘gopikrishna@ap.gov.in’; ‘healthsys@rediffmail.com’; ‘jannathussain@ap.gov.in’; ‘jdinfra_it&c@ap.gov.in’; ‘jtsecy_fin@ap.gov.in’; ‘jtsecy_rsad@ap.gov.in’; ‘mgvkbhanu@ap.gov.in’; ‘mnrao@ap.gov.in’; ‘murali@ap.gov.in’; ‘nshari@ap.gov.in’; ‘osd_fin@ap.gov.in’; ‘prabhakarreddy@ap.gov.in’; ‘prabhakert@ap.gov.in’; ‘praghuveer@ap.gov.in’; ‘pratapsp@gmail.com’; ‘prl.secyagr@ap.gov.in’; ‘prlsecy_agr@ap.gov.in’; ‘prlsecy_cm@ap.gov.in’; ‘prlsecy_hmfw@ap.gov.in’; ‘prlsecy_letf@ap.gov.in’; ‘prlsecy_minwelf@ap.gov.in’; ‘Prlsecy_sw@ap.gov.in’; ‘PS_CM@ap.gov.in’; ‘pstocm@ap.gov.in’; ‘ramakanth@ap.gov.in’; ‘ratnaprabha@ap.gov.in’; ‘rksuman@ap.gov.in’; ‘schanda@ap.gov.in’; ‘scio@ap.gov.in’; ‘seclegis@a.p.nic.in’; ‘Secy_BCW@ap.gov.in’; ‘secy_bud_fin@ap.gov.in’; ‘Secy_FOOD@ap.gov.in’; ‘secy_hmfw@ap.gov.in’; ‘secy_poll_gad@ap.gov.in’; ‘Secy_R&E_FIN@ap.gov.in’; ‘secy_rws_prrd@ap.gov.in’; ‘secy_se_edn@ap.gov.in’; ‘Secy_TW_SW@ap.gov.in’; ‘so_portal@ap.gov.in’; ‘SplSecy_efst@ap.gov.in’; ‘tchatterjee@ap.gov.in’; ‘tigdi@ap.gov.in’; ‘tparthas@ap.gov.in’; ‘cmap@ap.gov.in’; ‘cmap@ap.nic.in’; ‘drysr@ap.gov.in’; ‘NarsingRao’
Cc: ‘drverma@tendercity.com’
Subject: eProcuremnet scam – why my integrity,credibility, capability is being questioned

From: Ramesh Sinha [mailto:rsinha@tendercity.com]
Sent: Wednesday, November 30, 2005 10:23 AM
To: ‘pmeprocurement’
Cc: ‘NarsingRao’; ‘P Raghuveer’
Subject: RE: eProcurement- tender cityDear Sir,Instead of taking action against M/s. C1 India Pvt. Ltd. we are surprised to see that the Government of AP has started to grill us for bring out in public the loopholes in the eProcurement system www.eprocurement.gov.in it uses. I think whistle blowers in our great country
India, cannot escape it and hence we are complying with your request with this mail. I have not yet received any reply to the question raised by me on 24^th of November, 2005. Please let me know if It would be wrong to assume that Government of AP is trying to cover up the issue by asking irrelevant question and questioning my credibility, capabilities and integrity. Not that I have answered your email promptly, can I expect reply to the questions raised by me on 24^th of November after 6 days.Applitech Tendercity.com has enabled the first eTender in
India in July 2003 which complied to IT Act, and was digitally signed. Since then till date we have enabled eTenders & eAuctions for government department in excess of Rs. 8,000 Crores. Some of our customers includes Gujarat Water Supply and Sewerage Board, Sardar Sarovar Narmada Nigam Limited, Government of Rajasthan, Gujarat
Narmada Valley Fertilizer Company, Indian Oil Corporations, etc.I have bought to your notice the major security loopholes because of which the secrecy of price bid can be compromised. There are 100’s of live tenders currently available on www.eprocurement.gov.in and because of which I had requested Government of AP to pull down the site immediately, which for some reasons beyond has been not done. I further take this opportunity to point that I had demonstrated our entire system to your colleague for almost 2 hours. I unfortunately do not recollect his name, but he was there when I met the IT secretary.Ramesh SinhaCEOApplitech Tendercity.com I Pvt. Ltd

9825021784

___________________________________________________

From: pmeprocurement [mailto:pmeprocurement@ap.gov.in]
Sent: Tuesday, November 29, 2005 9:30 PM
To: rsinha@tendercity.com
Cc: NarsingRao; P Raghuveer
Subject: eProcurement- tender cityDear Mr.Ramesh Sinha,

Yours Sincerely,
K.Bikshapathi
Project Manager,
eProcurement,
Ph.No.23451055
Fax.No.23450103

1. Service Provider fully controls and owns the eprocurement.gov.in site and all the data on that site
2. Encryption was done using internal algorithm for symmetric encryption on the server side, till Feb 2005.
3. Digital Certificates were not used till Feb 2005.  The GoAP accepts that Digital Certificates were available as on Jan 2003.
4. GoAP does not have any objection if price bids of all contracters can be accessed by the service provider before tender opening date, as the GoAP has blanket trust on the ethics of the Service Provider, C1 India Pvt Ltd.  This is despite the fact that 3 different companies have filed lawsuits involving C1 India charging them with various unethical practices.
5. We have demonstrated clearly to the GoAP IT Secy on 24 Nov, and APTS on 3 Dec the various technology issues and best practices.  The GoAP still insists on continuing their blind trust on the service provider.
6. The GoAP admits that the price bids reach the application in readable clear text, and subsequently are subject to encryption.  The GoAP is explained this loophole and still continues to use this site.
7. The GoAP is remaining silent on the fact that the SSL certificate is issued by a
   US based private company, which is not recognized by the CCA of India.  The GoAP also is not able to explain how the ownership of a .gov.in domain is given to a private limited company, as is mentioned in the Server Certificate.
8. PWC, who was asked to conduct a security audit, is a consortium partner with C1 India for eprocurement tender invited by other state governments.

We request that:

1. The site eprocurement.gov.in be pulled down immediately
2. All the 9841 tenders be investigated given the admissions of lack of secrecy.
3. To penalize the service provider and its champions within the government for willfully and knowingly supplying and using a sub standard eprocurement system.
4. As per you instructions of the IT Secretary, we are making the letter LR.No. 2852/eProcurement/IT&C Department/2005 Dated 5.-12-2005 public.  We request all interested and knowledgable people to carefully review the letter and send their comments to the IT Secretary, and educate him on technology.

From: pmeprocurement [mailto:pmeprocurement@ap.gov.in]
Sent: Monday, December 05, 2005 6:41 PM
To:
rsinha@tendercity.com
Cc: NarsingRao; P Raghuveer; ratnaprabha; Sunitha Natti
Subject: Fw: eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).

Dear Mr Ramesh Sinha,

Greetings.

Please find attached our reply to the issues raised in your mails dated 8/11/05, 26/11/05 on eProcurement platform of GoAP. A physical copy will follow. Meanwhile, it is requested to forward our reply immediately to all those to whom you have mailed letters( referred above) either in physical mode or email and host the reply prominantly in the  web site www.tendercity.indiatimes.com for 15 days at  your cost.

Yours Sincerely,
K.Bikshapathi
Project Manager,
eProcurement,
Ph.No.23451055
Fax.No.23450103

—– Forwarded by pmeprocurement/IT/HYD/APGOVT on 05/12/2005 06:26 PM —–

Dear Mr Ramesh Sinha,

Greetings.

your mail has been forwarded to me and we are examining the issues raised there in.

Yours Sincerely,
K.Bikshapathi
Project Manager,
eProcurement,
Ph.No.23451055
Fax.No.23450103

—– Forwarded by pmeprocurement/IT/HYD/APGOVT on 26/11/2005 09:15 PM —–

To
The Secretary
Information Technology and Communication Department
Room No. 433, 3^rd Floor, D Block, AP Secretarial
Hyderabad – 500 022
Date: 26^th November, 2005
Kind Attn. : Mr. Narsing Rao
 
Subject: eProcurement scam worth Rs. 38,000 Crores in Andhra Pradesh).
 
Dear Sir,
I am herewith listing the points discussed during our meeting at your office on 24^th of November, 2005 regarding the major security loopholes in www.eprocurement.gov.in. Further you are requested to immediately pull down the website as using the system till the time the below security loopholes are not patched, would mean compromising with the Public Procurement Practices at large where “Public Money” is at stake.
 
·        Though the Tender/Project was awarded under IT Act 2000, Digital Certificates were only incorporated after March 2005. This means that approx 5000
Tenders worth Rs.31,000 Crore were enabled in an insecure fashion where system administrator could access to the price bids submitted by 10’000 odd bidders before due date and time.
 
·        Though the government made it mandatory to introduce Digital certificate after March 2005, but as of November 2005, the “Goods” Tender are being submitted without being digitally Signed and are not stored in encrypted fashion (that is encryption is not done using Buyer’s Digital Certificate. When we logged into your system, we could actually edit our bid and this proves the above point.
 
·        As of November 2005, the “Works” Tender are only Digitally Signed, but are not stored in Encrypted Fashion using Digital Certificate.
 
·        As of November 2005, during bid submission process a detached digital signature is being generated because of which Original Bid and its Signature are separately stored in the database ie. If a bidders quotes Rs. 1000 as his price bid, Rs. 1000 is stored in database in readable format and Digital Signature of Rs. 1000 is separately stored. Because of this loophole the system administrator can have access to the price bid of a Bidder before due date and time. One of your officer who was present objected to this point and said that it was actually attached signature that was being generated. I suggested that we save the page from www.eprocuremnent.gov.in and call the TCS- CA (Certifying Authority), your CA Vendor and ask them to clarify to which I didn’t get any reply from yours or your colleague, which validates this loophole.
 
·        After the bid is submitted by a contractor, the system throws a message that “you can not edit the bid because it is encrypted” whereas in reality the bids are actually stored in a readable fashion which can be accessed by system administrator. As per your colleague’s comments, the encryption takes place at server level. If the bid reaches the server in readable fashion then there is no point of encryption in the system as the administrator can read it, make a copy of it, or share it. Ideally it should be encrypted at client machine and then transferred to the server. When we submitted the bid, there was no encryption done on client machine and as per your colleague it was done at Server level which compromise with security and thus secrecy of price bid.
 
·        M/s. C1
India, the service provider must have known the loopholes and yet didn’t do anything about it in spite of the fact that 10,000 e
Tenders worth Rs.38,000 Crore has been enabled. This validates the major flaw in Public Procurement system in Andhra Pradesh where www.eprocurement.gov.in is being used.
 
·        Inspite of offering a substandard and security lapse services M/s. C1 India is charging very high charges for the same other than what they are quoting to other Governments  1/10^th of the rate for similar services but still the Government of AP has not negotiated the rate with C1 India and not warned them for removing the flaws in security to check compromise with Public Procurement Practices.
 
·        We asked to tell us as who was the system administrator – Some AP Government officer or M/s. C1 India Pvt. Ltd and you had no idea about the same. The officer in charge of eProcurement who was also present during the meeting did not share as who was the system administrator. Given the fact that 10,000 Tender worth Rs. 38,000 Cr. were enabled on such insecure manner, we are forced to believe that it should be actually M/s. C1 India Pvt. Ltd, which basically strengthens our doubts and lapse in e-Tendering (could be intentional because of some vested interest). No government officer would have allowed such insecure application in the first place if he would have been the system administrator as he would have known the above mentioned serious and major lapse in the security & secrecy of the Bids.
 
Because of the above loopholes, you are requested to pull down the insecure website www.eprocurement.gov.in immediately. We eagerly wait for your immediate action in this regard.
 
If our request to pull down the site by November, 26^th 2005 is not entertained we will be forced to go to the public to inform them about the above loopholes and the risk contractors face, when they participate in e
Tenders. The public money is being risked and as a responsible citizen and socially conscious Company, we cannot allow this to continue any longer.
 
We have also requested to be given the opportunity to demonstrate the above loopholes in person to you or agency like Andhra Pradesh Technology Services on 25^th of November, 2005. We have not received any confirmation for the same till now.  We fear that M/s. C1 India will change the code of website if we do not get the opportunity to do it immediately.
 
We see the current eTendering system in Andhra Pradesh as mother of all scams to a tune of Rs. 38,000 Crores. We further request you initiate appropriate investigation and ask the Anti Corruption Bureau to look into the matter in this regard.
 
And also ensure that Key Government officers who were in charge of enabling www.eprocuremnet.gov.in and M/s. C1 India Key Officers should not get a chance to fly away and try to cover this major scam because of their influence.
 
Looking forward to hear form you soon.
 
Ramesh Sinha
Director/CEO
Applitech Tendercity.com I Pvt.  Ltd.
98250 21784
rsinha@tendercity.com

To , Sri Ramesh Sinha, Director/CEO Applitech Tendercity.com Pvt Ltd. Ahmedabad, Gujarath.

Lr.No. 2852/eProcurement/IT&C

Department/2005 Dated 5-12-2005

Sir,

Sub: eProcurement- Representation of Sri. Ramesh

 Sinha, CEO, Appllitech Tendercity. com India Pvt.

 Ltd.- Apprehensions on security in eProcurement

 platform – Reply- Reg.

Ref: 1. Letter No. Nil dated 8^th November, 2005 from Sri. Ramesh Sinha, CEO,   Applitech Tendercity. com India Pvt. Ltd. addressed to Project Manager,   eProcurement, IT&C Dept. 2. email dated 26.11.2005 from Sri. Ramesh Sinha, CEO Appllitech Tendercity.   com India Pvt. Ltd.- addressed to Secretary IT&C

1. With reference to your correspondence cited above on the issues related to compromise on security in eprocurement platform of Government of Andhra Pradesh (GoAP) on account of non encryption of sensitive data and malicious System administrator are purely hypothetical in nature. The IT&C Department of GoAP is aware that the security& secrecy of tender data is of paramount importance as the portal handles sensitive procurement transactions of Govt departments and has foreseen the above concerns during the conception stage of the eProcurement project itself. Accordingly, following stringent security measures have already been implemented in the system to ensure that transactions on eProcurement portal happen in the most secured manner.

• Physical security of data center. Entry to the Data center is with Bio metric smart cards, round the clock CCTV monitoring and under strict personal supervision of Data center personnel.
• Web security through 128 bit Secured Socket Layer (SSL) Technology from client end to server for secured passage of data The SSL certificate has been issued by a US based CA. Is this CA recognised by CCA? Is this certificate valid legally at all? How is it that the domain ownership of a .gov.in domain is with a private limited company, as it says in the server certificate?
• Fire walls, intrusion detection system, online virus check, up to date anti virus system, online OS patches to prevent malicious attacks
• Network monitoring system to monitor the service levels of the site.
• Sound back up methods for storing data.
• Comprehensive audit logs of all events that are taking place on the platform
• Access controls, sharing of functions between system administrator and data base administrator
• Third party security audit of eProcurement system. M/s. PWC has conducted security audit in pilot phase (2003) and has expressed that security is uncompromising. APTS is in the process of finalizing Security consultant for taking up another third party security audit of the system at the earliest. PWC was the consultant appointed. PWC was in a joint venture with M/s C1 India Pvt Ltd for NIC Tender. How is PWC “third party”?
• Encryption of sensitive data (price bids). This has been done using internal algorithm during pilot phase and subsequently done through Digital Certificates issued by third party Certifying Agency (TCS) in compliance to IT Act, in the roll out phase i.e. from January 2005. “Internal Algorithm”? There is no such thing. If the algorithm cannot be made public, it is not worth anything. There is still no encryption taking place on the client side. The acceptable method would be encryption using Digital Certificates and the encryption should take place on the client side.
• All this is keeping the site safe from unauthorised access. We have never questioned this. What we are consistently questioning is keeping the data on the site safe from authorised, albiet unethical, access.

1. The GoAP has embarked upon eProcurement in 2002 with an objective to reform the prevalent manual tendering process which has severe short comings. eProcurement is to be implemented across whole government to bring transparency, derive process efficiency, cost and time reduction for both government & suppliers. The e-procurement project was envisaged by Govt. of Andhra Pradesh in the year 2002 under PPP- ASP (Application service Provider) model and the implementation of Pilot Phase was started in four departments on 29^th January 2003. Since as on that date there were hardly 1 or 2 Certifying Authorities with national presence for issue of Digital certificates, the IT&C department has taken a conscious decision to go ahead with the eProcurement initiative without insisting for Digital Certificates in the Pilot phase and at the same time not compromising on the security and to gradually make way for implementation of Digital Certificates in the rollout phase, as it was expected that issue as well as usage of Digital Certificate processes would stabilize over time. The process of getting a digital certificate remains the same today as it was when the eTendering commenced in 2003. It is not any more easier or difficult. It took 10 minutes then, if all the documents were available. So the perception of unstable processes was purely imaginary and misguided. It is to be mentioned that non usage of Digital certificate would not amount to breach of security as there are alternative technologies to implement fool proof security in IT systems. For example, Digital Signatures are not being used for internet banking, online train bookings, online airline ticket bookings and several other eGovernance initiatives implemented by various state governments. It doesn’t mean that all these transactions are compromising the security and are violating the IT Act 2000. Read the disclaimers. The disclaimer for HDFC bank (https://netbanking.hdfcbank.com/netbanking/netbk-terms-con.htm), under the section titled NETBANKING, clearly writes “ I shall not request /demand any evidence of proof for transactions undertaken through the Net “. Similar wordings on all online banking sites, railway reservations etc. Forget online ticket bookings, even booking a ticket at the counter, you are asked to fill up a form giving the name of the passenger. No proof of identification is asked. Will you qualify a tenderer who makes claims in the experience criteria, but does not substantiate it with certificate of completion, etc. These business are serving a very different need, and their online presence is only a way to increase convinience for customers. The fact that you have booked a ticket is not to be kept secret from everyone till the date of the journey. Comparing these sites with an eprocurement site is comparing apples and oranges. If you still want to persist in the comparision, I have three words for you “Credit Card Fraud”. Since this is happening in the ecommerce world, and you are following the same standards, the “etendering scam” is definitely happening. The online transactions which do not use digital certificates are not in compliance with the IT Act. Any person who conducts such transactions will not have recourse to a court of law under the IT Act.

1. Subsequently with more number of Certifying Authorities coming up, action was initiated to use Digital Certificates for authentication and encryption. Accordingly Andhra Pradesh Technological Services (APTS), a PSU of GoAP has become a Sub-CA to M/s. TCS-CA (certifying authority) for issuing Digital Certificates to the users of eGovernance applications of GoAP and started issuing digital certificates to the users of eProcurement platform in December 2004. As soon as the infrastructure was well in place in Andhra Pradesh, a PKI enabled eProcurement pilot was initiated for high value EPC type Jalayagnam tenders of Irrigation &CAD department from last week of December’2004. On success of this Pilot, Govt Orders were issued vide G.O.Ms 6 IT&C Dated 28-2-2005 for mandatory implementation of PKI with digital certificates for eProcurement w.e.f 1^st March 2005. Am I the only one who is not stupid around here? The eprocurement portal of the GoAP accepts only TCS-CA certificates. That may or may not be a violation of the IT Act, but it definitely does not seem like a fair trade practice. What are the compelling reasons for this practice? Till date, Rs. 32000 worth of etenders have been processed in the most insecure fashion. A token compliance with the IT Act does not mean that systems are foolproof. The fact remains that the system administration can still see the price bids. The current process still uses digital certificates for login and signing of price bids. It still does not sign the technical bids or encrypt the price bids on the client side. This has been clearly demonstrated to the IT Secretary on 24 November, and indicated to APTS on 3 December. And as of 6^th December, eprocurement.gov.in is happily functioning.

1. It is to mention that your contention about approximately 5000 tenders worth Rs 31,000 Crores have been processed with security loopholes with out using Digital Certificate on eProcurement platform of GoAP is misleading, completely baseless, self presuming and an attempt to sensationalise the issue . The actual statistics are furnished in the following table.

Period  Nos of Tenders Value   29-1-2003 to 28-12-2004. (pre PKI implementation with Digital certificates issued by TCS)  2506 Tenders  Rs 4,506 Crores   29-12-2004 to till date (post PKI implementation with Digital Certificates issued by TCS)  7335 Tenders Rs 28,072 Crores

You are absolutely right on this one. We gave totally misleading figures. The correct figures are: 9841 tenders worth Rs. 32,578 crores have been processed with security loop holes

1. It is to clarify that though the eProcurement platform was not using Digital Certificates for authentication and encryption in the pilot phase i.e., upto 28-12-2004, all the security issues were well addressed with good security policy in place viz., 128 bit SSL encryption for the data flow from client end to eprocurement servers, encryption of sensitive data (price bids) with COM based DLL using internal algorithm in symmetric method at server side , storing of data in encrypted form at the server end prior to opening of bids, controlled access to administrators, storing of log of all activities, third party security audit of the system etc,. “internal algorithm – symmetric method – server side”. How many times will have to go through this? The system administrator in question happens to be a private company called C1 India Pvt Ltd, based in Delhi. What are the compelling reasons for continuing to trust and defend the service provider with a system which could allow the price bids to be accessed from anywhere in the world.

1. The PKI enabled eProcurement software using the Digital Certificates issued by TCS, a third party Certifying Authority, is implemented with effect from 29-12-2004 for high value EPC tenders of Irrigation department and later made mandatory for all other tenders w.e.f 1-3-2005. The digital signature process has been finalized after several rounds of consultations among the IT&C Department, TCS-CA, C1India and it was decided to adopt hybrid of both Symmetric and Asymmetric encryption methods to encrypt the sensitive data (price bids) of the bidders at the server side, generate detached digital signature as a best practice before storing them in the database. The sensitive data submitted by the bidder travels from the client machine to the server through 128 bit Secured socket layer and is encrypted with the buyer’s Digital certificate at the server side using TCS control tools. The data (price bid) is stored in encrypted format in the database and cannot be viewed in readable format by anyone including the database administrator prior to decrypting the bid by the buyer with his private key on lapse of specified time and date of opening of bids. These processes were shown to the media during tender opening of high value EPC tenders under ‘Jalayagnam’ programme. The detached or attached digital signatures are a moot point considering there is no encryption taking place on the client site. This effectively means that the system administrator still has ability to access the technical/price bids. The system administrator in question happens to be a private company called C1 India Pvt Ltd, based in Delhi. What are the compelling reasons for continuing to trust and defend the service provider with a system which could allow the price bids to be accessed from anywhere in the world.

1. The transaction fee payable to M/s C1 India has been approved by the GoAP based on recommendations of sub-committee of Secretaries over a report prepared by a consultant with due diligence in October 2004 and is valid from 1-4-2004 to 31-3-2007, as per an agreement entered between the IT&C Department of GoAP and M/s C1 India. The revised transaction fee structure is significantly lower than the charges agreed for Pilot phase in the original agreement and comparable to the open market rates charged for similar level of eProcurement services by reputed firms in India. How does this revised transaction fee structure compare with the quotes submitted by this vendor in other parts of the country? Would you care to declare the reputed firms and their open market rates? Would you care to comment on what rates you would get if they were to quoted in competitive environment? Even the modified rates are amongst the highest as of today. For 1/10^th of the amount paid by the GoAP to the service provider as fees, it could have procured a secure product, with complete IT Act compliance, along with source code.

1. With regards to your presumptions on administrators role, it is clarified that the GoAP is taking eProcurement services from M/ C1 India through Application Service Provider model. In this model the service provider is totally responsible for operation and maintenance of the eprocurement platform and the services are regulated through a Service level agreement entered between the department and service provider. In view of this the System Administrator and Database Administrator privileges are retained with M/s C1India, as is the case in any other eprocurement portal delivering services on ASP model. The Privileges and functions are shared between different people of the company to avoid security lapse. The Operating System of Application maintain logs of all activities performed by System Administrator and Database Administrator. The Public Key Infrastructure is a fool proof measure for maintaining secrecy and security of Data as the System administrator would not be able to decrypt the bids on his own and also will not be in a position to view the bids as the data is stored in an encrypted mode in non-readable form. In addition to this, the bid opening is governed by date and time fixed for opening, which is basically server time hosted in a very secured professionally managed data center. In view of this multi level checks and balances implemented in the system, the security & secrecy of sensitive data is assured. Therefore, the eProcurement transactions are carried out in most secured manner to the benefit of society at large. By surrendering all privileges with the vendor, the government does not indemnify itself. Several times earlier in this document you have stated that the encryption is carried out using internal algorithm on the server side. Suddenly, this has changed to PKI, which I am assuming means that the well known algorithm which is asymmetric is being used. But this is still on the server side. This leaves room for play. This is like saying to your vendors “Fax me your price bids, I will put them in an envelope, seal them and drop them in the tender box for you”. Also, I am assuming that since the encryption is taking place on the server side, the decryption must also be taking place on the server side. Which, assuming you are using Public Key Encryption, means that the private key is available on the server side. What more is required to decrypt the data? And if the encryption is infact taking place on the server side, and the vendor does in fact have full control over the system, there cannot be any “assured” stamp on the secrecy (note that we are not disputing the security). The best practice of using signing and encryption have been explained and demonstrated to the IT Secy as well as APTS. If any part of this is not understood clearly, please feel free to call us again to explain the same. However, the fact remains that the existing site falls way short of the standards of secrecy required by eTendering and therefore every tender being processed is liable to be scrapped. To prevent further damage to the state government, we strongly suggest that you stop all procurement using this site.

1. You must be aware that procurement transactions in the government domain are so sensitive that even a little amount of doubt about the integrity of data in eProcurement platform would have lead to public outcry and this platform would not have gained acceptance from the supplier community. The eProcurement platform has processed 9841 tenders aggregating to Rs 32578 Crores from January 2003 to end of November 2005. It is to emphasise that all these transactions were carried out in a very secured manner without a single instance of complaint from the suppliers about their bid values getting tampered or some favoured bidder getting advantage due to breach of secrecy by the service provider. The proof could also be corroborated from the fact that most of the completed transactions on eprocurement portal (90 % of tenders) are discounted quotations to a tune of 8 -10 % over the estimated rates, which resulted in savings of more than Rs.2000 crores of public money to the Govt. It is pertinent to highlight that in several tenders with a single bidder participation, the price bid quotations were on lower side of estimated value. This could not have been possible had the security and secrecy of bids submitted by bidders been compromised by the service provider as presumed by you. A third party security audit conducted during the pilot phase in pre PKI period has no adverse comments on data security and secrecy. Hence, your concerns on compromise in security & secrecy in eprocurement platform of GoAP are baseless and unfounded. These same statements when taken with the fact that secrecy of bids is not fool proof, become proof of the mischief we are claiming.

1. Further, as per our security policy, the APTS is finalising a consultant for conducting third party security audit of eprocurement application for the current year and the bids are scheduled to close by 12-12-2005. Among other things, the scope of audit includes transaction audit of all EPC tenders (high value) and 50 numbers of randomly selected regular tenders processed through the platform. I suggest you appoint Infosys, Microsoft, etc. or any liscensed CA like TCS, Safescrypt, Ncode or Tendercity as the third party auditor. I suggest that you include in the scope of the audit, not just the current system, but also the past transactions on this system. If you are so sure that the service provider is a completely honest and trustworthy party, you should not have any hesitation in expanding the scope of the audit.

1. It is not our intention to cast any aspersions on you for this misinformation campaign against one of the most successful reforms in the country, which made considerable social impact by eliminating contractor cartels in government tenders to a greater extent, brought in transparency and saved huge amounts of tax payers money. However, it is understood that your firm (Tendercity) is locked in a legal battle against our service provider(C 1 India) and it is quite possible that your complaint is a motivated one because of the business rivalry. If you bothered to get the case papers and go through them, or else ask your legal department to brief you on them, instead of just relying on the information that is fed to you, you will find that it is an ex-party stay order obtained by C1 India, which prevents us from using C1 Indias eprocurement software. We were not present when the stay was obtained. We are not using C1 Indias eprocurement software. Now that you have more information, you can better judge who is motivated and who has the feeling of business rivalry. We are drawn into unnessary, time consuming and costly litigation. M/s C1 India has been faxing these court orders to all our customers, resulting in further dilution of our resources and defamation of our company and product. We have solid faith in Indian Legal System. We urge you to track the case more closely and independently.

1. In view of the above facts and figures, It is to inform that we have reviewed our processes based on the security concerns raised vide your letters cited and found that they are self presuming apprehensions, lacking any basis, as all transactions on eProcurement platform are conducted in the most secured way without any compromise on security and secrecy of sensitive tender data. It is requested to circulate this response to all the addresses to whomever you have marked a copy of the petitions cited either in electronic or physical mode, besides hosting on tendercity India times web site for 15 days at your cost. It is also advised to refrain from any such misinformation campaign against GoAP’s eProcurement project in future, otherwise the GoAP would be compelled to take appropriate legal recourse against you. The above facts and figures are totally in agreement with what we have been saying all along. I would advise you to learn from independent sources what constitutes “secrecy of sensitive tender data”. We will gladly circulate this response as well as host it on the tendercity indiatimes web sites. We assume that the 15 days is a lower limit and that there is no upper limit. We will continue to host this response for as long as we are able to bear the cost. We are still not able to believe that you gave all this in writing. We would however request you to either send us a printed and signed copy of this letter, or else a digitally signed electronic copy of this letter, so that you would not, at a later date, accuse us of forgery.

      We will be pleased if GoAP takes the matter to the court. If the site is not pulled down immediately, we would be forced to file a public interest litigation against GoAP, in the Supreme Court of India. In light of the admissions you have made in this letter, we request you to start the process of reinvitation of all 9841 tenders.

      Yours sincerely,

      Secretary, IT&C dept,

      Govt of Andhra Pradesh,

      Hyderabad